Categories: News

GDPR: How to let a thousand flowers bloom – and preserve the rights and freedoms of our students


Posted on

This is the third in a series of three posts penned by itslearning´s Data Protection Officer (DPO), John-Arthur Berg.

I have always believed that the best teachers are the ones that can continuously reinvent their practices. A tech-savvy teacher is not necessarily a great teacher, but an innovative teacher that has the ability to combine new technology with sound pedagogical practices that can make a lasting impact on the learning outcome of his or her students.

In the US, these teachers are often called trailblazers; early adopters of new practices and technology, laying the foundation for other teachers to walk the same path. Most schools have a trailblazer, enthusiastically but thoughtfully applying new technologies to teaching and learning activities.

In recent years, many of these new technologies have come in the form of online services that requires some transfer of personal data. GDPR makes it hard for school leaders to avoid asking difficult questions about the governance of such services. How do we let a thousand flowers bloom, and still preserve the rights and freedoms of our students?

To process the personal data of your student, GDPR will require you to make sure:

  • There is a lawful purpose
  • There is appropriate technical and organizational security
  • The student (and/or his parents) is informed and knows his or her rights
  • You (or anyone else involved in the process) do not use the data for any other purpose
  • His/her data is deleted as soon as the purpose for the processing is no longer valid

How many trailblazing teachers know enough about GDPR to make sure your organisation complies with GDPR? Few. And under GDPR the supervising authorities have new superpowers that could both embarrass and impoverish your organization if personal data is passed on to 3rd parties without due consideration.

I would strongly argue that under GDPR, you cannot let your trailblazing teacher decide and control the flow of personal data into various services. (For the record, the same argument goes for pre-GDPR legislation, but let’s look forward, not backward.)

So should we stifle innovation and crack down on the use of new technologies in the classroom? No. But perhaps we can, as often in history, solve a technical problem with a technological solution.

First, standardisation. Interoperability standards are efficient ways of allowing ecosystems of product to develop on top of standardised infrastructure. Like how your electrical wall socket allows a plethora of product to be seamlessly brought into your home.

Standards already exists for allowing online tools and services to communicate with LMSs and other platforms. One of the most widely adopted standard is IMS LTI. LTI has some challenges in terms of GDPR. It allows for teachers to easily pass on personal data to 3rd parties and it currently lacks a simple mechanism for deleting the personal data once the purpose for the processing comes to an end. LTI should be adapted to make sure students right to an expiry date on their personal data is taken care of. LTI could even be wrapped with meta-data about the nature of the processing and the level of security offered.

In terms of the wall socket metaphor, LTI is the way the socket and plug fit together.

Which brings us to another element of standardisation; Code of Conducts. GDPR allows for industry norms to be developed (and approved), to develop uniform standards for how to secure software that processes personal data. A joint code of conduct would massively simplify a school owner’s burden of ensuring, and giving evidence of, a 3rd party providing the appropriate level of security.

To continue with the electrical metaphor, the Code of Conduct is the “CE” mark on the plug.

On top of this, a management platform is needed to control the ecosystem of educational apps that school owners allow teachers to bring into their classroom ecosystem. These platforms already exist in many markets, and are referred to as Learning Management Systems like itslearning. Both itslearning and competing platforms can already to some extent allow school owners to balance control and freedom in a way that gives teachers the option to develop their own practices around individual tools.

The last issue to be tackled is the limited bandwidth schools have for doing their due diligence on online services before approving them for use by teachers. But with the appropriate changes to technology standards (like LTI) and good industry standards, perhaps this work could in some cases be left to the LMS. The LMS could bring an ecosystem of tools in as sub-processors, and take a joint responsibility together with school owners for GDPR compliance across a wide range of online services.

(To round up the metaphor, your LMS becomes the fuse box.)

My general view on GDPR is that it is a very good thing. It is good for our students, it is good for educational institution and it is good for the EdTech industry. There is a big, untapped potential in using technology and cloud services to improve teaching practices and learning outcomes. One of the keys to unlocking this potential is to earn the trust of teachers, students and parents. In this sense, the increased focus on data protection and privacy due to GDPR will be beneficial for all parties.

 

Leave a Reply

Your email address will not be published. Required fields are marked *